Saturday, April 12, 2014

Heartbleed and Reverse Heartbleed. The ring of pain grows

By now everybody has probably heard about the Heartbleed exploit in OpenSSL. One of the best explanations of how the Heartbleed exploit works came via an update from 1Password author Dave Teare and his pointer to an XKCD Comic. Since the advise to everyone is to update your password. I wholeheartedly recommend 1Password from Agile Web Solutions. 1Password comes with apps for OS X, Windows, iPhone,iPad and Android. 1Password also has extensions for Safari, Chrome, Firefox and Internet Explorer. If you are going to be changing passwords across the Internet (and you should) then I recommend 1Password to help you manage your new passwords.

OpenID, OAuth and Heartbleed

I have been wondering about the ramifications of Heartbleed and whether there are risks for sites using OpenID and OAuth.

If you are not familiar with OpenID and OAuth it is basically the dialog you go through when you go to a site and use your Facebook or Twitter credentials to login. The advantage of OAuth and OpenID is that you can login with a userid and password that you use regularly WITHOUT the website having to know what that Userid and password is. Fewer userids and passwords to remember is a good thing. This process is often used when you give a website or service access to post to your Twitter or Facebook timelines.

So does Heartbleed have ramifications for OpenID and OAuth? There appears to be a secondary impact to Heartbleed. This is known as Reverse Heartbleed. There is a test for Reverse Heartbleed. The exploit would involve sending a URL to the web infrastructure on a site that initiates outbound SSL connections. The OAuth credential approval process would seem to fit that situation. If the webURL that is sent performs a malicious query using the heartbleed exploit then confidential data could be exposed.

What does this mean?

The use of OAuth and OpenID is a positive step on the Internet and helps us all reduce the number of userids and passwords we have to manage. With fewer userids and passwords it allows us to use more complex, safer passwords. It even allows us to think about using multi-factor authentication, such as can be applied for your web service accounts on AWS.

So anyway, I am off to start changing passwords on my web accounts….

via WordPress